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(57) The invention discloses a method of updating, 
in nodes on both ends of a secure link, the encryption 
key they share to encrypt and decrypt data. When hav- 
ing to transmit data from one of the nodes (1 4) towards 
its peer remote node (16), a data base (22) in the for- 
warding node, is first updated from the data to be trans- 
mitted. Then, encryption is performed and data trans- 
mitted to the peer remote node while a next-to-use en- 
cryption key is derived from the new contents of the data 
base. When received, data are decrypted with the cur- 



rent value of the encryption key and the peer remote 
node data base is updated identically from the received 
decrypted data after which a next-to-use encryption key 
is derived, thereby obtaining in the peer remote node, a 
next-to-use identical key. The data base is preferably 
the dictionary (46) of a data compression/decompres- 
sion system used simultaneously with encryption/de- 
cryption to transmit data over the secure link. While keys 
are frequently updated, for improved security, the inven- 
tion does not require that key updates need to be actu- 
ally distributed. 
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Description 
Teciinical field 

[0001] The present invention relates generally to se- 
cure connnnunications when data nnust be sent from a 
transmit device to a receive device in an encrypted form 
and particularly refers to a method of dynamically up- 
dating encryption keys without having to transmit them. 

Background art 

[0002] Secure communications systems, based on 
cryptography, are used to prevent unauthorized access 
to data on communications links so that sensitive Infor- 
mation can be exchanged with little risk of eavesdrop- 
ping. In typical point-to-point cryptographic systems, an 
encryption device transmits encrypted or coded digital 
data to a decryption device over a secure data link. 
[0003] The digital data is encoded using a key known 
only to the encryption and decryption parties in order to 
deny data access by any unauthorized third party. This 
scheme implicitly refers to symmetric encryption, the 
conventional method of insuring security In the ex- 
change of Infonnatlon being characterized In that the 
same key is used both for encryption and decryption, 
The security of symmetric encryption remains in the key 
i.e., divulging the key means that anyone could encrypt 
and decrypt messages. That Is why the algorithms used 
for symmetric encryption are also referred to as secret- 
key algorithms. The best example of this is DES, which 
stands for Data Encryption Standard, and which has 
been Indeed a standard since the 70's and is still uni- 
versally used. Again, the security of such an algorithm 
resides only In the key and does not depend, whatso- 
ever, on the secrecy of the algorithm. On the contrary, 
as a standard, the algorithm is completely specified and 
made available to all users. 

[0004] DES Is a block cipher algorithm wherein data 
are encrypted and decrypted in 64-bit blocks. A 64-bit 
block of text is converted by the algorithm into a 64-bit 
block of cipher text, with no overhead, except the nec- 
essary padding to make the whole message encode a 
multiple of 64 bits. The basic key is 56-bit long although 
it Is expressed as a 64-bit number since a parity bit, per 
byte, is used for parity checking however, ignored by the 
algorithm. Thus, the key can be any 56-bit number and 
can possibly be changed anytime provided both parties 
have a secure means to agree on a new key before ex- 
changing data. To improve the strength of DES i.e., to 
increase the difficulty of breaking It, triple pass DES with 
112-bit key or 168-bit key Is also commonly used now- 
adays. Because DES has been around for over 20 
years, it has been thoroughly tested and has behaved 
remarkably well against years of cryptanalysis. Al- 
though it is still secure, it becomes obviously relatively 
weaker due to the dramatic increase in power compu- 
tation now available In a single computer and even more 



In a group of computers cooperating to break such a 
code. Therefore, breaking DES consists 'only' in retriev- 
ing the particular key that was used to encode a mes- 
sage or a file since algorithm itself is completely known 
5 as stated above. The trivial way of achieving this being 
a brute-force attack in which all 2^^ keys of standard 
DES would be tried, insures that, on the average, after 
2^8 attempts, encryption key may be found. 
[0005] Thus, besides the length of the key, which is 
10 the prime contributor to prevent DES to be easily 
cracked, the other very important contributor is the du- 
ration during which such a key stays in use between two 
parties that want to keep secret the content of the infor- 
mation they are exchanging. As a general rule no en- 
15 cryptlon key should be used for an Indefinite period of 
time since the longer a key is used, the greater the risk 
it will be compromised (loss, accident e.g., a key could 
be accidentally displayed in clear due an application 
software bug) and the greater the temptation for some- 
20 one to spend the effort necessary to break It. Breaking 
a key shared by two banks for an extended period of 
time e.g. one month, would enable a hacker to interfere 
In the exchange of money between those two banks dur- 
ing the same period of time. Also, the more data are se- 
25 cured with a given key, the more devastating the loss If 
the key is compromised. Finally, a long lifetime of a key 
also provides more ammunition for an adversary to 
break it since the adversary potentially has access to 
significantly more data to work with. Thus, it Is clear that 
30 it would be highly desirable that keys should remain in 
use for short or very short periods of time (and ideally 
only for one session) so that no attack could reasonably 
be conducted with a good chance of success before key 
Is updated. However, this brings the usual problem. In 
35 symmetric cryptography, to have to distribute the keys 
shared by pairs of users over a large network. 
[0006] To solve this problem, asymmetric encryption 
was devised. RSA algorithm (named after its creators i. 
e., Rivest, Shamir and Adelman) and asymmetric algo- 
40 rithms In general solve the problem by using two keys: 
one private (secret) key and one public key. Public key 
of party A is made accessible to anybody who has to 
talk to A. Thus, when party B is ready to talk to A, It must 
use A public key to encode a message and because the 
^5 scheme is asymmetric, only A using its private (secret) 
key, will be able to decode the message. Therefore, the 
message can contain the secret key to be shared by two 
users utilizing the symmetric encryption method previ- 
ously described i.e. DES. This way of doing, which is 
50 nowadays a standard is, in practice, required because 
RSA and generally speaking all known public-key algo- 
rithms assume a lot of calculations involving exponen- 
tiation and/or discrete logarithms to be computed on 
very large numbers. A RSA secret-key is now commonly 
55 a 1 024-bit binary word (rapid progresses have been re- 
ported in the recent years on the cracking of RSA-like 
keys forcing the use of very large keys so that 2048-blt 
and 4096-blt keys are considered In the Implementation 
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of the crypto-processors specialized to process RSA 
and DES algoritlinns for fast encryption) assuming that 
exponentiations in that range are performed to encrypt 
a message. Thus, RSA algorithm is reported to be sev- 
eral orders of magnitude slower than DES, which ex- 
plain why both are most often combined to Implement a 
cryptographic system. 

[0007] Before the encryption , the compression of data 
is very often used in data communications systems. The 
objective is twofold. Besides limiting the memory re- 
quired to store a compressed file, the chief advantage 
is that less data have to be transmitted overall, thus sav- 
ing bandwidth on expensive communications lines. Al- 
so, data compression can make cryptanalyzis more dif- 
ficult. Most often, to launch an attack especially, a brute- 
force attack, a cryptanalyst needs a small amount of ci- 
pher data and the corresponding plain data. In practice, 
this may not be difficult to obtain since communications 
protocols, at various levels, have standard message 
headers whose formats are well known. Since data 
compression is performed on top of encryption, the cor- 
responding plain data are meaningless or at least it be- 
comes very difficult to match a particular protocol head- 
er. Especially, the numerous data compression tech- 
niques derived from the Zlv-Lempel method (J. Zlv and 
A. Lempel, "Compression of individual sequences via 
variable-rate coding," IEEE Trans. Inform. Theory, 
vol~IT-24, no~5, 1978) assume the use of an evolving 
dictionary in each node where data are compressed and 
decompressed. Then, dictionary contains the codeword 
representation based on a tree structure with brother, 
son and parent links and the corresponding character 
on each node or leaf. It Is possible to start with an empty 
dictionary which needs to contain however, the first 
character of each sub-tree. Although dictionary is con- 
stantly evolving, it is kept identical on both ends while 
no specific data exchange need to take place to main- 
tain the same contents. This is achieved from the trans- 
mitted data Itself. With such a scheme, an Identical 
evolving database is thus available on either end of a 
communication link while the changes cannot deduced, 
from the observation by an eavesdropper, of the data 
exchanged over the line. Therefore, a dynamic key can 
be derived from the directory contents using some form 
of one-way function such as hashing in order to fre- 
quently generate new keys. 

[0008] Therefore, even if data compression before 
encryption can Improve the security Inasmuch as the 
compression increases the difficulty of cracking the en- 
cryption key, a perfect security can be obtained only by 
changing frequently the encryption key. Although RSA 
key can be used to exchange new secret keys, such an 
exchange Involve resources, adds overhead and stops 
the normal data transmission since the security associ- 
ation should be restarted. This is why secret keys are 
not changed very often and would never be changed at 
each packet. But keeping the same key during some 
time opens ways to spy, modify, reroute or copy the data 



using copy and paste to another stream and is not safe 
whatever the complexity of the encryption Is. 

Summary of the invention 

5 

[0009] Therefore, the main object of the invention is 
to improve the security of a symmetric cryptographic 
system by allowing to change frequently the common 
secret key. 

10 [001 0] It is a further object of the invention to provide 
a method of dynamically updating the common encryp- 
tion/decryption key of asymmetric encryption system on 
both ends of a secure communication link without hav- 
ing to actually exchange a new key, thus avoiding the 

15 frequent use of a public-key asymmetric encryption sys- 
tem or any equivalent system of distributing keys. 
[0011] It is another object of the invention to derive 
the next secret key to use from an evolving database, 
the contents of which are kept identical on both ends of 

20 a communication link, such as the dictionary of a data 
compressing system. 

[0012] The invention relates therefore to a method of 
updating in a data communications system, the encryp- 
tion key shared by nodes on both ends of a communl- 
25 cation link. The nodes include an Identically evolving da- 
ta base. When having to transmit data from one of the 
nodes towards its peer remote node, the data base is 
first updated from the data to be transmitted. Then, from 
the current value of a key, encryption Is performed over 
30 the data that are thus transmitted to the peer remote 
node. After which, a next-to-use encryption key is de- 
rived from the new contents of the data base. When the 
encrypted data are received by the peer remote node, 
they are first decrypted with the current value of the en- 
35 cryption key. Then, the data base of peer remote node 
is updated identically from the received decrypted data. 
From the contents of the data base, a next-to-use en- 
cryption key Is derived, thereby obtaining in the peer re- 
mote node a next-to-use Identical key. 
40 [0013] In a preferred embodiment of the invention da- 
ta base is the dictionary of a data compression/decom- 
pression system used simultaneously with encryption/ 
decryption to transmit data. The method of the Invention 
permits that the key of a symmetric encryption system 
45 be frequently updated on both ends of a secure com- 
munication link thus, greatly improving security, without 
requiring that new keys need to be actually transmitted. 

Brief description of the drawings 

50 

[0014] Further objects, features and advantages of 
the present invention will become apparent to the one 
skilled In the art upon examination of the following de- 
scription in reference to the accompanying drawings. 

55 

Fig. 1 Is a schematic block-diagram showing the 
minimum network configuration necessary to imple- 
ment the method according to the Invention. 
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Fig. 2 is a block diagram of a node comprising all 
the features used to implement the method accord- 
ing to the invention. 

Fig. 3 is a flow chart showing the different steps to 
the method according to the invention when trans- 
mitting to a remote node. 

Fig. 4 is a flow chart showing the different steps of 
the method according to the invention when receiv- 
ing from a remote node. 

Detailed description of the invention 

[0015] Fig. 1 describes the minimum network config- 
uration necessary to better understand the framework 
of the invention. In this network two DTE's (data terminal 
equipment) devices DTE1 10 and DTE2 12 communi- 
cating respectively through nodes NODE 1 14 and 
NODE 2 16 have to establish a secure communication 
over e.g. a WAN (Wide Area Network) connection 18 
thus, forming a security association 20 referred to as SA 
in the following. Therefore, nodes 14 and 16 have the 
capability of encrypting and decrypting their communi- 
cations using a common secret key. The key is kept con- 
stantly updated, with the mechanism of the invention as 
further described in thefollowing figures, so as to greatly 
improve the security of the transactions over the WAN 
connection 18. This mechanism is based on the as- 
sumption that an evolving data base 22 or 24 is present 
in each node the contents of which are kept identical. 
On the contrary, communications between DTE1 and 
NODE 1 1 4 on one hand and between DTE2 and NODE 
2 16 on the other hand are in clear since they are as- 
sumed to be perfomied in a secure confined environ- 
ment, e.g. within a single box located in user's premises. 
The method of the invention assumes that a first com- 
mon key is available in NODE 1 1 4 and NODE 2 1 6 to 
start playing with. The way this is achieved (once at in- 
itialization and possibly at regular intervals or on the oc- 
currence of an event later on) is beyond the scope of 
the invention and could be performed, e.g. through the 
use a public-key algorithm, such as RSA, well known 
from the art and briefly described here above in the 
background art section, or through any other method of 
distributing a secret key. It is worth noting that forming 
such a SA or restoring it after a while (because SAs are 
generally configured so as they time out anyway, for se- 
curity sake, irrespective of the traffic, but are only re- 
stored on demand) is disruptive for the ongoing traffic, 
or needs time to be re-established, while the method of 
the invention which allows to frequently update keys 
does not hold traffic whatsoever. 
[0016] Fig. 2 better describes a node 30, of the kind 
shown in Fig. 1 , interfacing a DTE 32 on one end and a 
transmission line 34 on the other end. The Node in- 
cludes a 'DTE Interface and Flow Control circuitry' 36 
whose function, in cooperation with 'Microcontroller' 38, 
is to achieve the temporary storing, into a 'Buffer Mem- 
ory' 40, of the data stream or packets received from DTE 



32 so that they are eventually transmitted to a remote 
node. As an example, this is performed here with the 
help of a 'Memory and DMA (Direct Memory Access) 
Controller' 42. Then, data packets are sent to a 'Data 

5 Compressor/Decompressor' 44 which uses and up- 
dates a Dictionary 46. On each data packet or set of 
packets, forming an entity to be transmitted over the 
transmission line 34, a one-way function 48 such as 
hashing or CRC (Cyclic Redundancy Checking) is per- 

10 formed on Dictionary 46 so as to compute a fixed-size 
digest or signature of it reflecting its current contents. 
This is typically a 100-bit to 200-bit vector which is 
passed to 'Data Encryptor and Decryptor' 50 from which 
the next key to be used is generated and used over the 

15 compressed data also sent to 'Data Encryptor and De- 
cryptor' 50. Then, encrypted packets are sent to a re- 
mote node through a Line Interface and Flow Control 
circuitry 52 for low layer encapsu lation and transmission 
over line 34. 

20 [0017] Receiving is similar to what is just described 
here above in reverse order though. Encrypted data re- 
ceived from the line 34 are stored alike in 'Buffer Mem- 
ory' 40 after having been decrypted using the current 
key available in 'Data Encryptor and Decryptor' 50. 

25 Once decrypted, compressed data is sentto 'Data Com- 
pressor/Decompressor' 44 and Dictionary 46 is updat- 
ed, allowing to generate a new key value derived from 
the new contents of the dictionary with the same one- 
way function 48 here above mentioned. This new value 

30 is passed to 'Data Encryptor and Decryptor' 50 in order 
to be used for a next data packet or set of data packets, 
The decompressed data is stored temporarily in Buffer 
Memory 40 before being sent, in clear, to DTE 32 
through 'DTE Interface and Flow Control' circuitry 36. 

35 [001 8] Fig. 3 describes the encryption process which 
starts when a new key has been made available in both 
nodes I.e., in nodes 14 and 16 shown previously in Fig. 
1 , which are then able to establish a secure communi- 
cation between them forming a new security association 

40 or SA already discussed in Fig. 1 . Step 54 checks 
whether a new SA has just been defined. This is the 
case whenever a secure communication is initialized, 
but also each time a new encryption key is exchanged 
later on, through another channel, or with a different 

45 mechanism, e.g. by enabling a key exchange through a 
secure session using a public-key encryption system, a 
technique well-known from the art. According to the in- 
vention, a new security association can also be formed 
periodically or upon the occurrence of a particular event 

50 such as overflowing of the packet sequence number or 
detecting transmission of errors. 
[001 9] If this is indeed the case, one proceeds to step 
56 where the current encryption key, simply referred to 
as KEY in the following, becomes the new SA key. Also, 

55 the sequence number 'SN' used in the encryption pro- 
tocol header is reset to 1 . However, if answer to interro- 
gation 54 is negative (the usual case) KEY is updated 
at step 58 from a value derived from the encryption dic- 
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tionary 46 shown in Fig. 2. As already discussed tlnis 
value used to update the current key is generally speak- 
ing a fixed-size digest, e.g. the result of a hash function 
or a CRC, applied on the contents of the dictionary which 
are constantly evolving depending upon the data ex- 
changed between the two nodes. 
[0020] Once a KEY is defined, step 60 is performed 
during which data is connpressed. The latter step may 
be made as sophisticated or as simple as necessary de- 
pending on which criterion must be first considered. For 
example, a simple compression algorithm could be re- 
tained if computing resources are scarce in nodes. How- 
ever, if computing resources are not the limiting factor, 
one may decide to get a better compression ratio using 
a more complex method such as the one defined in 
standard V,42 bis of ITU-T (International Telecommuni- 
cations Union) based on the Ziv-Lempel algorithm pre- 
viously discussed. However, whichever solution is 
adopted for compression, the main objective remains 
that codewords are used in transmission instead of real 
data, codewords based on an evolving dictionary are ac- 
tually exchanged. 

[0021] When compression is done, compressed data 
is encrypted at step 62 using current KEY. After which, 
at step 64 an encrypted packet is fonnatted whose 
header 'Sequence Number' SN 66 is incremented by 
one so as the enciphered data can be sent over the line 
to the peer remote node. It is worth noting here that SN 
field is always a fixed-size field (typically a 16-bit wide 
field) so as SN counter eventually wraps. Therefore, it 
is a good practice that wrapping of the counter associ- 
ated to this field triggers a new SA so that key updating 
process resumes with a fresh seed key further contrib- 
uting to keep nodes transactions secure. 
[0022] Finally, step 68 performs a hash on the new 
dictionary contents (orwhicheverfunction is selected to 
get a fixed-size digest of it) in order to build a new key 
that is used at next loop when process resumes at step 
54. 

[0023] Fig. 4 describes the decryption process which 
starts with the receiving of a new packet from a peer 
node. This may take place only after a SA (security as- 
sociation) has been set between the two nodes and im- 
plies that a first common key is available in them to start 
with. Steps 70, 72 and 74 are Just identical to what is 
described for the encryption process in Fig. 3 here 
above. Briefly, KEY to use, as with encryption, is either 
a new key resulting of a new SA or an updated one re- 
sulting of a computation over current contents of diction- 
ary. Once KEY is selected, next step 76 is to decrypt the 
incoming data from it. Then, at step 78 data is de-com- 
pressed. While starting from the current contents of the 
dictionary, the decompression step itself has the effect 
of updating it, based on the new received data from the 
peer node (so as dictionary is constantly evolving). Fi- 
nally, as with encryption, a new hash on the dictionary 
contents must return, step 80, a value identical to the 
one obtained with the encryption process, in the remote 



node, and from which the same new key is derived after 
which receive process resumes at step 70. Obviously, 
all this implicitly assumes that no error occurs in the 
transmission so as the evolution of the dictionaries is 
5 kept identical on both ends of the secure link. However, 
as soon as an error is detected, all standard methods 
known from the art may possibly be applied to recover 
so as communication can resume in a known state. This 
includes the simple solution of restarting from scratch 
10 with a new key while dictionaries are reset. As far as this 
latter point is concerned the invention does not assume 
that, at initialization or after a recovery on error, diction- 
aries need to be 'blanked' or may just contain a skeleton 
from which they are progressively rebuilt through the da- 
15 ta compression process. Dictionaries may be filled with 
predefined values however, at the expense of having to 
consider this as a secret to be protected like keys. 



1. Method of updating an encryption key in a data 
communication system comprising a transmitting 
node (14) which receives clear data from a trans- 

25 mitting DTE (10) and a receiving node (16) which 
transmits clear data to a receiving DTE (12), said 
transmitting and receiving nodes forming a security 
association (20) sharing said encryption key for 
communicating cipher data between them and in- 

30 eluding identically involving data bases (22 or 24); 
said method comprising the steps of : 

Upon transmitting data from said transmitting 
node to said receiving node : 

35 

updating said data base (22), in said trans- 
mitting node by using said clear data re- 
ceived from said transmitting DTE, 

40 - encrypting (62) in said transmitting node 

data to be transmitted by using the current 
value of said encryption key, 

transmitting (64) encrypted data to said re- 
45 celving node, and 

deriving (68) from the new contents of said 
data base in said transmitting node, a next- 
to-use encryption key, 

50 

Upon receiving encrypted data in said receiving 
node : 

decrypting (76) in said receiving node, re- 
55 ceived encrypted data by using the current 

value of said encryption key, 

updating identically said data base (24) in 
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said receiving node, by using the received 
decrypted data, 

deriving (80) from contents of said updated 
data base in said receiving node, a next- 5 
to-use decryption key identical to said next- 
to-use encryption l<ey. 

2. Tine metinod according to clainn 1 , furtlier connpris- 

ing a step of compressing said clear data received io 
from said transmitting DTE (1 0) by said transmitting 
node (14) before said step of encrypting. 

3. The method according to claim 2, further compris- 
ing a step of decompressing the decrypted data af- is 
lev said step of decrypting in said receiving node 

(1 6) before transmitting clear data to said receiving 
DTE (12). 



10. The method according to any one of the previous 
claims, wherein a new security association (20) is 
formed periodically or upon overflowing of the pack- 
et sequence number. 

11. The method according to any one of the previous 
claims, wherein a new security association (20) is 
formed periodically or upon detecting transmission 
errors. 

12. The method according to claim 10 or 11 , wherein 
said data base (22, 24) is reset to a secret set of 
values on restarting said new security association 
(20). 

13. The method according to any one of the previous 
claims, wherein said data base (22, 24) is reset to 
a secret set of values on initialization. 



4. Method according to claim 3, wherein said identi- 20 

caliy evolving data base (22 or 24) in said transmit- 
ting node (14) and receiving node (16) is an identi- 
cal dictionary for respectively compressing data be- 
fore encrypting in said transmitting node and de- 
compressing data after decrypting in said receiving 25 
node. 



14. A secure data communications system comprising 
means adapted for carrying out the method accord- 
ing to any one of the previous claims. 

15. A computer-like readable medium comprising in- 
structions for carry inig out the method according to 
any one of the claims 1 to 1 3. 



5. The method according to claim 4, wherein said 
identical dictionary in said nodes (14, 16) is the re- 
sult of using the Ziv-Lempel algorithm or any one of 30 
its variants to perform said data compressing and 
said data decompressing. 

6. The method according to any one of the previous 
claims, wherein said steps of deriving said next-to- 35 
use e n crypt ion/decryt ion key further include the 
step of obtaining a digest from the current contents 

of said evolving data base (22, 24), said step of ob- 
taining a digest further including the step of utilizing 
directly said digest as the next-to-use key or com- 40 
bining said digest to said current key to get a next- 
to- used key. 

7. The method according to claim 6, wherein said step 

of obtaining a digest from the contents of said evolv- 45 
ing data base (22, 24) is a step of hashing to a fixed- 
size value (68 or 80). 

8. The method according to claim 6, wherein said step 

of obtaining a digest from the contents of said evolv- so 
ing data base (22, 24) is a step of computing a CRC 
(Cyclic Redundancy Checking). 

9. The method according to claim 6, wherein said step 

of obtaining a digest from the contents of said evolv- 55 
Ing data base (22 , 24) is a step of applying any other 
one-way like function. 
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